Re: ICMP (type 0 , code 0) in syslog

wasonce_2000 · ‎10-15-2003

HI All,

I'm new to security and am finding several deined on inside interface access-list for ICMP (type 0 , code 0) from inside host > outside host. This is happening 24hr a day. The only thing I can see in log

is we are experencing ping sweeps from this IP block.

I have ran several trojan and virus scans from several different venders and return nothing on the inside host.

Is this a normal response from a inside host with a public interface on a single port? I do not allow icmp from internal host.

jmia · ‎10-16-2003

Mike,

If you have ACLs on the indside denying ICMP traffic from inside-to-outside then you'll see the syslog message you mentioned. Which PIX IOS are you running?

When you say you can see ping sweeps form this IP Block, is this a inside IP address?

Thanks - Jay.

nkhawaja · ‎10-16-2003

Hi,

ICMP type 0 is ECHO-Reply. It seems like your inside hosts are sending lot of replies as a result of ECHO (Ping). We have seen this behavoiur as a result of the recent worms e.g. NACHI/BLASTER. If you are seeing this syslog message alot, you better need to apply access-list on the inside interface to block it, additionaly you need to inspect your hosts for the possibility of worms.

Thanks

Nadeem

dayar · ‎12-16-2003

Nadeem, Do you have any sample config ACL to block ICMP Echo reply and log them..

Thanks

Daya

lwierenga · ‎10-19-2003

Are you using any uptime and/or network monitoring software on the inside network?